Hi all,

I'd like to share a bit of something I spent a little time on recently
and which eventually might make it into the AV-SPAM as configurable option:

I was getting a bit of SPAM in the last six weeks which had me bonkers.
It was usually 30-40 emails a day. About 10% of those were the stuff
that often slips through anyway.

The rest were often HTML-emails with random text in the footer, a link
and an image, or text that was generic enough to not outright trigger
any rules that would mark it as SPAM. Clearly the perpetrators were
checking their emails with SpamAssassin and tweaked them enough to make
the emails score low enough.

About 80% of those SPAMs that made it through were from the same ASN and
that ASN changed daily. The amount of ASN's they went through in the
last 30 days or so is kinda bamboozling. Yet they come back with more.

Still: The SPAMs were spread out through the day and night, so they
didn't all arrive at the same timeframe.

After optimizing some existing SpamAssassin rules (and creating new
ones) I managed to cut the leakage down a bit. However, I started to
think about starting my own RBL and to tie that into SpamAssassin, which
is fairly simple.

As I do run a PowerDNS master/slave DNS server with MySQL backend, it
was easy to do so: I just set an unused Zone aside, configured it
properly with short TTLs and short caching and set up a separate PHP
script that takes IP's, turns them into RBL records and (if not already
present in SQL) feeds them into SQL and bumps the Zone serial.

To automate this further I set up a Perl-Script that parses a separate
IMAP folder into which all detected SPAMs (and all SPAMs that I moved
manually into that folder) get parsed an the sender IP is extracted. The
script then checks if the sender IP is not in our whitelist (which
contains everything we never want to block!) and then automatically
pushes every remaining (bad) IP into the RBL blacklist.

>From there it was just a matter to set up a cronjob that runs this every
few minutes. So all that is left to do is to move escaped SPAMs into
this separate IMAP folder and the offending IP gets blacklisted
automatically.

Even better: I have a few ancient mailboxes that get nothing but SPAM.
Including them in the script that parses the IMAP folder now auto-feeds
the IP addresses of SPAM-senders into the RBL as well.

Once the RBL has grown large enough to make it worth our while I'll
include it in the AV-SPAM and you can decide if you want to use it as
well and which score you apply to emails from IPs that are in the
Solarspeed RBL. If the score is high enough, these emails can be
rejected at the MTA level. Which is what I currently do.

-- 
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

Reply via email to